Subway email weirdness: Suspicion grows over apparent Trickbot trojan delivery campaign
If you got an unexpected message from the not-footlong guys, don't click links
Updated Subway patrons in the UK received suspicious emails this morning and infosec researchers fear this is linked to the theft of customer details – and a Trickbot malware campaign.
"I've just had an email purporting to be from Subway (the sandwich people) and sent to an address used only for Subway," Reg reader Alan told us. He wasn't alone; it appears that something bad has happened to Subway involving its email marketing systems.
A wave of tweets began hitting Subway UK's account this morning as people wondered why the takeaway sandwich chain, famous for its not-quite-footlong baguettes, had started emailing them out of the blue.
@SubwayUK have you had a data breach or something? Just received an email from 'subcard@UK-IE.subwaysubcard.eu' addressing my name and says I've placed an order. There's a typo in the email on the word 'another' (misspelt as 'anather') and has dodgy looking links in it??— Win San Pang (@WinSanPang) December 11, 2020
Security researcher Oliver Hough, noted purveyor of sophisticated infosec tweets, took a look at the apparent phishing campaign. In emails he had seen, links took users to a booby-trapped XLS spreadsheet – with others chipping in to say that it looked very much like those were leading unsuspecting users straight to a Trickbot infection.
Trickbot is a banking trojan that steals online banking information and personal data, ready for criminals to then commit identity fraud. As the National Cyber Security Centre puts it: "Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails will often contain an attachment (or link to an attachment) which victims are instructed to open, leading to their machine being exploited."
Source code of one of the suspicious emails posted to Github by PHP dev Richard Bairwell revealed the full message headers, which appear to point to email firm Campaign Monitor as the source of the message.
Bairwell told The Register he received the two suspicious emails at his link above today, adding: "Both emails – like all emails from Subway from at least May last year – have come via CampaignMonitor/cmail.com."
It appears that malicious people may have gained access to Subway's email campaign systems, in light of this morning's email seemingly having been sent through legitimate pathways previously used for genuine marketing messages.
Yesterday the fast food biz changed its consumer loyalty app, switching from its old Subcard app to one simply named Subway.
We have asked Subway for comment on both the apparent breach and the phishing campaign and will update this article if we hear back from the privately held US chain. ®
Updated to add
Subway sent us the following statement: "We are aware of some disruption to our email systems and understand some of our guests have received an unauthorised email. We are currently investigating the matter and apologise for any inconvenience. As soon as we have more information, we will be in touch, until then, as a precautionary measure, we advise guests delete the email."